CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-50290

mediumcovered by 1 sourcefirst seen 2026-07-02
Finding Location: core/src/server/render-to-string.ts:307-311 CSS value sanitization stripped expression( and url(javascript: using simple regex, but could be bypassed with CSS unicode escapes (\65xpression(), null bytes, or CSS comments (exp//ression(). Mitigating Factor: These CSS injection vectors only work in legacy browsers (IE6-IE10). SpecifyJS targets modern browsers. Status Fixed in v0.2.136** — CSS sanitization now normalizes unicode escapes and strips CSS comments before pattern matching. Also checks for behavior:, -moz-binding, and -o-link patterns.

⚡ Watch CVE-2026-50290

Get an email if CVE-2026-50290 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-50290

CVE.org record

Embed the live status

CVE-2026-50290 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-50290 status](https://www.csirts.com/badge/CVE-2026-50290)](https://www.csirts.com/cve/CVE-2026-50290)